A Russian cyber attack that reportedly resulted in the theft of 1.2 billion internet credentials could cost £1.4 billion in insurable losses

A cyber attack by a Russian hacker group that resulted in the theft of 1.2 billion internet credentials from major companies around the world could cost £1.4 billion, according to an insurance group.

The attack, which came to light on Tuesday, allowed hackers to steal confidential user names and passwords from some 420,000 websites, ranging from household names to small Internet sites.

Hold Security, which uncovered that attack, did not give details of the companies affected. However, it described it as the “largest data breach known to date”.

Now Lloyd’s of London underwriter Barbican Insurance Group has estimated that potential insurable losses from this single event are in the region of £1.4 billion.

Based on the number of parties involved, Barbican estimates the cost of notifying potentially affected customers and continuing customer service will be £300 million.

In addition, customers should be offered credit monitoring to identify suspicious activity which, based on a conservative estimate of 5 per cent take-up, would cost £200m.

The company approximates that forensics costs to identify and remedy the breaches across compromised websites will amount to £600m.

The remaining £300 million of the costs will be composed of public relations expenses, potential regulatory action and other damages.

Geoff White, underwriting manager for cyber, technology and media at Barbican Insurance Group, said this incident highlights the “significant risks cyber-attacks currently pose to businesses”.

“As cyber criminals become increasingly sophisticated, widespread hacking such as this recent attack should no longer come as a surprise,” said White.

“Organisations are beginning to wake up to this threat and we have seen demand for cyber insurance increase more than threefold over the last two years alone.”

There is still much that is unclear about Tuesday’s revelation. As well as the question of which companies were affected by the hack, Hold Security has not revealed whether the passwords were encrypted.

Tom Burton, a director in KPMG’s cyber security practice, said that while the scale of the breach is eye-catching, the real issue is what the hackers can do with the stolen data.

“Accessing more than a billion passwords takes a significant level of organisation and sophistication, but if ever there was an argument that size doesn’t matter, this is it,” he said.

“Each year the number of password hacks seems to be climbing, but such a large amount in one go begs a question about what the attackers are going to do with the information they now possess.”

Burton suggested that one possibility is that they are planning to package the information, price it and sell it according to its usefulness.

“If this doesn’t prompt businesses and individuals to rethink how they are protecting themselves, the criminal fraternity will have a bright future ahead of them.”